Kylie Grant – Project Director
While the UK is part of the EU, data can be freely transferred between the two. The current proposed withdrawal agreement provides assurance to businesses that data may continue to be transferred between the EU and UK until 2020 while a longer term solution can be implemented; however, if the UK exits the EU without a deal, European businesses will need to put safeguards in place for transferring data to the UK.
One of the safeguards that can be relied upon for transferring data outside of the EEA is an adequacy decision. An adequacy decision is where the EU has assessed a country’s data protection laws and deemed them at least equivalent to the EU’s. The European Commission will not take an adequacy decision on the UK until it becomes a third county and have not indicated a time frame for doing so. In other cases, adequacy assessment and negotiations have taken many moths; therefore, UK businesses will need other mechanisms in place with their European data exporters to ensure that data can continue to flow freely and lawfully in the event of a no-deal Brexit.
What can UK businesses do to ensure they can still receive data from Europe following a no-deal Brexit?
UK businesses that are part of a multi-national group may consider (or already have in place) binding corporate rules (BCR’s); these are internal rules for the transfer of data among separate entities within a corporate group. If BCR’s are not applicable, UK businesses may consider incorporating standard contractual clauses (SCC’s) into their contracts with European organisations. The UK’s data protection authority, the ICO, has put together a contract builder to assist UK business to implement SCC’s. It may also be possible to rely on other safeguards in accordance with Article 46 of the GDPR.
Whilst it is the European organisations who have the responsibility for adhering to the GDPR, if your business relies on exchanging personal data with European organisations then you should take action now to protect your position with your European clients and suppliers. Refer to the ICO’s no deal Brexit guidance and 6 steps to take.
If you need legal advice and don’t have a data protection lawyer, contact your Menzies relationship manager and we will put you in touch with an appropriate legal professional.